This invention relates to the application of a system policy for program modules, such as application programs, for storing user preferences and other data in binary format within the registry of an operating system for a computer system. More particularly, this invention relates to applying one or more system policies to end user""s machines within an administered network environment for application programs that can write registry parameters in a binary format.
A system policy is a method of remotely controlling end users"" desktops in an administered network environment. It allows network administrators to control registry parameters such as user preferences or restrictions. A representative tool for defining a system policy is the System Policy Editor, which consists of a single executable (poledit.exe) that runs on xe2x80x9cWINDOWS 95,xe2x80x9d xe2x80x9cWINDOWS 98xe2x80x9d and xe2x80x9cWINDOWS NT 4.0xe2x80x9d operating systems developed and marketed by Microsoft Corporation of Redmond, Wash.
The System Policy Editor works in conjunction with templates, which are text files typically having a certain format and the extension ADM. The policy template is written by the application vendor to expose registry settings of interest to the administrator. The administrator runs the policy editor, opens a policy template, selects a setting, and chooses a value to enforce. The results are stored in a policy (POL) file, which is typically stored on the network logon server or another specified location. When a client computer logs on to the server network, the operating system running on the client computer locates the POL file and applies the policies to the end user""s machine.
Prior system policy editors have supported data of types string (REG_SZ), expandable string (REG_EXPAND_SZ), or double-byte numeric (REG_DWORD), but have not supported binary data (REG_BINARY). For programs that store user preferences and other data in binary format, a system administrator has been unable to use an available system policy tool to implement a policy affecting those binary settings. System administrators have been frustrated that registry settings of interest for a policy could not be enforced for programs that store user preferences and other data in binary format within the registry. In view of the foregoing, there is a need in the art for a mechanism that enables a system administrator to enforce a system policy within an administered network environment for programs that store binary-formatted data within the registry of a computer system.
One prior technique for addressing the enforcement of a system policy for registry data maintained in a binary format is the creation of registry xe2x80x9coverridexe2x80x9d data for a selected set of registry values. Registry override data comprises discrete value name/data pairs that correspond to specific bits for registry data maintained in a binary format. Because the registry override data is maintained in string or numeric data format, a system administrator can implement a system policy that affects the registry override settings. During application launch, the application can determine whether a policy file has applied system policy to a registry override value and, if so, the application can change the value for the corresponding bit in the binary formatted data of the registry.
Although the registry override solution allows a system administrator to apply system policy to selected set of binary formatted registry values, this solution is available only for a minimum number of registry values because each registry override affects the launch time of the application. In addition, the registry override solution is not extensible when new registry settings are added to another release of the application. Because the registry override values affected by system policy are written to disk in response to exiting the application, the prior registry values set by the user are xe2x80x9cinfectedxe2x80x9d by the system policy values. In other words, the user""s preferred assignment of registry values corresponding to the registry override values are effectively overwritten by the application of system policy and are no long available for future application sessions, including those sessions conducted away from the administered computer network. Consequently, there is a need for an extensible mechanism for efficiently applying a system policy to registry data having a binary format. There exists a further need for a mechanism that can apply a system policy binary-formatted registry values without xe2x80x9cinfectingxe2x80x9d user preferences in the registry.
In summary, the prior art has failed to provide an extensible and efficient mechanism for applying a system policy to registry data having a binary format. System administrators have been frustrated by the lack of a commonly available tool for applying a system policy affecting numerous binary registry data values. Likewise, users of machines in an administered computer network do not desire the permanent replacement of user registry values by registry override values that infect the preferred user settings in the registry. The present invention addresses these and other problems in the prior art by using registry data having a predetermined format to alter data maintained in a binary data structure to enforce a particular policy value for each application session.
The present invention can read alphanumeric data of a registry of a computer system and interpret this data as values of one or more binary bits stored in a global data structure. These values of specific bits for the global data structure can be changed during the run-time of a program module, such as an application, without affecting the other values in the data structure. In this manner, the invention allows system policies, which are normally limited to string or numeric data types, to include data that an application stores in binary format.
The invention also can prevent the writing of temporarily altered bit values to permanent storage when the data structure is saved during normal program module execution or shut-down sequences. The invention can avoid permanently writing policy data to a storage mechanism, such as the hard disk of the user""s machine, because the existing values of bits set by a policy are stored in a temporary data structure while the application is running. When the user exits the application, the temporarily stored values are written back into the data structure before it is saved to the hard disk of the user""s machine. In this manner, system policies desired by a system administrator may be implemented on a user""s machine without permanently altering the setup of a user""s machine.
Registry data is typically read by an application when the application is booted. For each global data structure, the application searches a particular location in the registry and enumerates named values. Named values preferably have a format that describes an offset defining a start position in the data structure and the number of affected bits. The value data defines the values applied to the affected bits. The value name is formatted with the information needed to correctly apply the policy.
For one aspect of the present invention, the syntax for value names is  less than comment greater than _ less than offset greater than _ less than number of bits greater than . The  less than comment greater than  is optional and used primarily for documentation purposes. The  less than offset greater than  describes the start location in the global data structure for which the policy is intended to control. More precisely, the  less than offset greater than  describes the number of bits from the beginning of the data structure to the beginning of the region that this policy controls. The  less than number of bits greater than  describes the size of this particular setting in bits.
Although a policy value can be written to the user""s registry when the user logs onto the network, the value has no effect until the user boots the application. During application boot or launch, the application attempts to load policy settings for its binary setting objects by opening and enumerating the contents of the appropriate keys in the registry. When a registry key corresponding to a data structure does not exist or is empty, the application will assume that no policies are set for that structure and move on. The invention can use a key path, which is a location in the registry where a value is written, to distinguish between policies intended for different applications. A key path also can be used to distinguish between policies intended for different data structures within the same application.
When the application finds values under one of the special policy keys, the value name is parsed to search for the underscore separator to determine the offset and size of the bit field the policy is intended to control. If the offset and size are valid, a record of the original value of the data structure field is created and that record is added to a list of all policy changes applied to this data structure. The application can then translate the value associated with the policy into a bit mask applied to the data structure.
When the user exits the application, the application will save changes made to its settings. Before these settings are saved to the hard disk of the user""s machine, the application checks the list of policy changes for each of the data structures affected by a policy. If the application has added any records to this list during start-up, those changes are now xe2x80x9crolled backxe2x80x9d to erase any changes made to the fields affected by policy. This also can overwrite any user changes to the affected fields. In other words, the fields are effectively locked so long as policy is present.
These and other features, advantages, and aspects of the present invention may be more clearly understood and appreciated from a review of the following detailed description of the disclosed embodiments and by reference to the appended drawings and claims.